Question
I've created a self-signed SSL certificate and have no trouble using it, but the browser (Firefox, Chrome/IE) shows garbled characters in the Organization's name (anything above ASCII has 2 characters).
I created the certificate in a Debian running on virtualbox (Win host), the shell's locales are all *.UTF-8, and I used CA.pl for this. I can create files with Unicode characters and have no other issues, but the cert has "Organizaução" instead of "Organização".
Any tips? Escaping the characters (how)? Dumbing down the locale to ISO/IEC 8859-1? Using some non-shell method? Am i missing something obvious?
On a side note, is there an easy way (i.e. 4ummies™) to distribute the certificate, so a user can just click and install? All the guides i've seen involve too many windows for a regular user to bother with; and without installing it the browser will yelp every time the user visits (except Firefox which allows an easy installation via the warning box).
Edit 1
Checking the asn1parse manpage and using its example:
https://stackoverflow.com/questions/23598872
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianopenssl asn1parse -genstr 'UTF8:Organização'
produces:
0:d=0 hl=2 l= 17 prim: UTF8STRING :Organização
So i assume it's a problem with the input. This is my locale information:
LANG=pt_PT.utf8
LANGUAGE=en_US:en
All LC_* fields="pt_PT.utf8"
LC_ALL=
I have no problems touching Organização or any other files with nonASCII characters, yet my CA cert gets dumbed down to 8bits.
Edit 2
I've started with this tutorial, but went on to reading the OpenSSL man. In reading the req man i came across this in the bugs section: As a consequence of the T61String handling the only correct way to represent accented characters in OpenSSL is to use a BMPString
So i tried with:
openssl asn1parse -genstr 'BMP:Organização'
and end up with an empty string:
0:d=0 hl=2 l= 26 prim: BMPSTRING
La solution
Followed another tutorial and adapted the certificate creation to:
openssl req -new -x509 -days 365 -utf8 -out cert.pem -keyout key.pem
I opted to populate the default config file with the answers to the questions (instead of supplying them via the prompt) and added a commented non-ASCII character just to make sure it's a unicode file (kinda unnecessary i guess but file made me happy by saying UTF-8 Unicode text).
Autres conseils
Decode the string into escaped-ASCII and specify on the command line. For the Univeristät Innsbruck, the umlaut-a must be translated into ASCII bytes. The Unicode tables show that it is U+00E4 which must be represented by the hex character sequence c3 a4. To get that on the command-line, I do:
server=test.uibk.ac.at
openssl req -nodes -newkey rsa:2048 -keyout $server.key -out $server.csr \
-subj '/C=AT/ST=Tyrol/L=Innsbruck/O=Universit\\xC3\\xA4t Innsbruck/OU=IT Services/CN='"$server"
Note, the double-backslashes and single quotes are both required. To test the effect:
openssl x509 -in test.uibk.ac.at.crt -noout -text |grep Subject:
we see
Subject: C=AT, ST=Tyrol, L=Innsbruck, O=Universit\xC3\xA4t Innsbruck, OU=IT Services, CN=test.uibk.ac.at
In the browser, we verify the key and see "Universität Innsbruck" as expected.
